Targeted SaaS Impersonation Gives Attackers a Live Feed Into Your AI Workspace
Researchers at Push Security recently discovered a targeted campaign in which threat actors create fraudulent OpenAI tenants impersonating legitimate companies and invite specific employees to join them. The goal appears to be tricking targets into using the attacker-controlled workspace as if it were a sanctioned corporate tool, feeding sensitive data directly into a platform the attacker controls.
This technique, dubbed the “Poisoned Tenant” attack, was first documented by Push Security in 2023 as a theoretical threat. Three years later, it has moved from the research lab into active incident logs, with cybersecurity and technology firms confirmed as the primary targets.
The Invitation Looks Completely Legitimate
What makes this attack particularly effective is that the invitation emails are technically genuine. They originate from OpenAI’s own notification infrastructure ([email protected]), pass all standard email authentication checks (SPF, DKIM, DMARC), and are indistinguishable from a routine organizational invite. The invitations are sent to targeted employees at their work email addresses, indicating that attackers conducted reconnaissance before launching the campaign.
OpenAI does include a warning when the inviter’s email domain does not match the recipient’s domain, but it appears as a single line within an otherwise polished, official-looking email. For any employee who assumes their company has simply set up a new ChatGPT workspace, that warning is easy to overlook.
Push Security's Researchers Accepted One to Find Out What Was Inside
After several Push Security employees received the fraudulent invitations, the team decided to accept one to investigate. Luke Jennings, VP of Research & Development, clicked the invite link from a completely separate browser, one with no existing ChatGPT session. Accepting the invitation required nothing more than clicking the invite link. He was immediately added to the attacker’s organization and landed on a confirmation page telling him he’d joined “Push Security Inc.”
Most employees receiving this invite would have no reason to suspect it wasn’t a legitimate IT rollout. The email looks right, the organization name looks right, and joining requires nothing more than what any normal SaaS onboarding would ask for.
What Jennings Found Inside the Tenant
Once inside, Jennings found a carefully constructed environment designed to appear legitimate. The attacker had created an OpenAI organization under Push Security’s name and set the sole attacker-controlled account to display as the name of Push’s CEO, Adam Bateman. All invited employees had been assigned Owner-level administrative privileges, full control over the tenant. A Visa credit card was already attached to the billing account.
The attached credit card removed a friction point that might otherwise tip an employee off: if they hit a paywall trying to use the API, they’d start asking internally who set up the org. A pre-funded account eliminates that moment of scrutiny, and likely means the card was stolen.
The project itself was empty, no existing chats or seeded documents. The attacker’s strategy appears to rely entirely on employees beginning to use the platform organically. If employees began using the workspace, the attacker, acting as an organization administrator, could gain visibility into organizational activity such as usage information and API interactions, while employees might also submit highly sensitive information through prompts and projects.
Part of a Broader Pattern of SaaS Platform Abuse
This campaign is not an isolated event. Push Security connects it to a growing trend of attackers weaponizing the invitation and notification features built into SaaS platforms to deliver social engineering through trusted channels.
In January 2026, Kaspersky documented attackers stuffing scam content directly into OpenAI organization name fields to abuse the platform’s invitation emails. In April 2026, Cisco Talos published research on the same technique applied across GitHub and Jira, estimating that at its peak nearly 3% of all emails sent from GitHub on a single day were tied to this activity.
This attack surface is massive and largely unmonitored. Most organizations have no visibility into which SaaS platform invitations their employees are receiving or accepting. If an employee joins an attacker-controlled Slack workspace, OpenAI organization, or Jira project, the security team typically has no way to know.
What Your Security Team Should Do Now
Defending against poisoned tenant attacks is harder than defending against traditional phishing because there is no malicious URL to block, no spoofed domain to flag, and no attachment to scan. The invitation is, by every technical measure, genuine. That said, there are concrete steps security teams can take.
- Get visibility into SaaS organization membership. Organizations need tooling that surfaces when employees receive and accept invitations to external SaaS tenants. Browser telemetry, IdP monitoring, and platform API integrations can close this blind spot.
- Retrain employees for invitation-based attacks, not just phishing. Standard phishing awareness training does not cover this scenario. Employees need to understand that a technically authentic email from OpenAI, Microsoft, or GitHub can still be part of an attack, and that joining any organization on any platform is a security-relevant action that should be verified through an internal channel.
- Register your organization’s name on the platforms you use. Where possible, claim your organization’s name on SaaS platforms before attackers can. This does not prevent all impersonation, but it raises the cost for attackers in some environments.
Continuous visibility across your SaaS environment, including which platforms your employees are using and which organizations they belong to, is becoming a necessary component of any modern threat exposure management program. Attackers have recognized that SaaS platforms are both trusted and under-monitored. The organizations that close that gap fastest are the ones that will catch these attacks before they turn into a live data feed for an adversary.
Sources: BleepingComputer | Push Security
